Upgrade io.grpc to 1.60.1

[Akanksha-kedia]

Description

outlines the direct vulnerabilities and vulnerabilities from dependencies for io.grpc and com.google.protobuf.

Motivation and Context

The io.grpc package, specifically the grpc-protobuf artifact version 1.35.0, has several identified vulnerabilities:

Direct vulnerabilities:

CVE-2023-32732
CVE-2023-32731
CVE-2023-1428
Vulnerabilities from dependencies:

CVE-2023-2976
CVE-2022-3510
CVE-2022-3509
CVE-2022-3171
CVE-2021-22570
CVE-2021-22569
CVE-2020-8908
The com.google.protobuf package, specifically the protobuf-java artifact version 3.12.0, has several identified vulnerabilities:

Direct vulnerabilities:

CVE-2022-3510
CVE-2022-3509
CVE-2022-3171
CVE-2021-22570
CVE-2021-22569
Vulnerabilities from dependencies:

CVE-2023-2976
CVE-2020-8908
CVE-2020-15250

Impact

At this time, these vulnerabilities are not expected to have a major impact.

Test Plan

Unit tests for presto-bigquery and other relevant components will be conducted to ensure system stability.

[INFO]
[INFO] <<< spotbugs:3.1.10:check (default) < :spotbugs @ presto-bigquery <<<
[INFO]
[INFO]
[INFO] --- spotbugs:3.1.10:check (default) @ presto-bigquery ---
[INFO]
[INFO] >>> pmd:3.11.0:check (default) > :pmd @ presto-bigquery >>>
[INFO]
[INFO] --- pmd:3.11.0:pmd (pmd) @ presto-bigquery ---
[INFO]
[INFO] <<< pmd:3.11.0:check (default) < :pmd @ presto-bigquery <<<
[INFO]
[INFO]
[INFO] --- pmd:3.11.0:check (default) @ presto-bigquery ---
[INFO]
[INFO] --- install:2.5.2:install (default-install) @ presto-bigquery ---
[INFO] Installing /Users/akedia/dec2024/prestodb/presto-bigquery/target/presto-bigquery-0.286-SNAPSHOT.zip to /Users/akedia/.m2/prestodb_28/com/facebook/presto/presto-bigquery/0.286-SNAPSHOT/presto-bigquery-0.286-SNAPSHOT.zip
[INFO] Installing /Users/akedia/dec2024/prestodb/presto-bigquery/pom.xml to /Users/akedia/.m2/prestodb_28/com/facebook/presto/presto-bigquery/0.286-SNAPSHOT/presto-bigquery-0.286-SNAPSHOT.pom
[INFO] Installing /Users/akedia/dec2024/prestodb/presto-bigquery/target/presto-bigquery-0.286-SNAPSHOT.jar to /Users/akedia/.m2/prestodb_28/com/facebook/presto/presto-bigquery/0.286-SNAPSHOT/presto-bigquery-0.286-SNAPSHOT.jar
[INFO] Installing /Users/akedia/dec2024/prestodb/presto-bigquery/target/presto-bigquery-0.286-SNAPSHOT-tests.jar to /Users/akedia/.m2/prestodb_28/com/facebook/presto/presto-bigquery/0.286-SNAPSHOT/presto-bigquery-0.286-SNAPSHOT-tests.jar
[INFO] Installing /Users/akedia/dec2024/prestodb/presto-bigquery/target/presto-bigquery-0.286-SNAPSHOT-sources.jar to /Users/akedia/.m2/prestodb_28/com/facebook/presto/presto-bigquery/0.286-SNAPSHOT/presto-bigquery-0.286-SNAPSHOT-sources.jar
[INFO] Installing /Users/akedia/dec2024/prestodb/presto-bigquery/target/presto-bigquery-0.286-SNAPSHOT-test-sources.jar to /Users/akedia/.m2/prestodb_28/com/facebook/presto/presto-bigquery/0.286-SNAPSHOT/presto-bigquery-0.286-SNAPSHOT-test-sources.jar

Contributor checklist

• Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

== RELEASE NOTES ==
Security Changes
* Upgrade io.grpc to 1.60.1
* Upgrade com.google.protobuf to 3.25.1

[Akanksha-kedia]

@tdcmeehan please help to review

[steveburnett]

Would it help to mention these changes in the release notes? I wasn't sure what the title "Direct vulnerabilities for io.grpc" meant until I read the files being changed, and also not only io.grpc appears to be changed by this PR.

Based on the Release Note Guidelines, perhaps release note entries for these changes similar to the following suggestion might be appropriate:

== RELEASE NOTES ==
Security Changes
* Upgrade io.grpc to 1.60.1
* Upgrade com.google.protobuf to 3.25.1

I suggest Security Changes as a potential better heading than General Changes for these entries, given the CVEs affecting the older versions of these two items appear to be the motivation for this PR.

[skairali]

@Akanksha-kedia This is a needed change for many use cases, Thank you

But I see that grpc version is not changed at all places

Example : https://github.com/Akanksha-kedia/prestodb/blob/fi2/presto-pinot/pom.xml

Could you please make sure that upgrade is comprehensive?

[Akanksha-kedia]

I ll quickly check and revert back to you

…

On Tue, 16 Jan 2024 at 2:07 PM, Sudheesh ***@***.***> wrote: ***@***.**** requested changes on this pull request. @Akanksha-kedia <https://github.com/Akanksha-kedia> This is a needed change for many use cases, Thank you But I see that grpc version is not changed at all places Example : https://github.com/Akanksha-kedia/prestodb/blob/fi2/presto-pinot/pom.xml Could you please make sure that upgrade is comprehensive? — Reply to this email directly, view it on GitHub <#21668 (review)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AVL2AZSBDRFGLAYRKDPRMZTYOY34TAVCNFSM6AAAAABBUJEKS2VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMYTQMRSG43TMMZWGE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[Akanksha-kedia]

@skairali please review, i see presto-docs is failing but i see no changes related to mine.

[Akanksha-kedia]

@skairali please review

[steveburnett]

Please format the release note entry with a row of three ` above and below. If my description here isn't clear, you can see an example by selecting Edit on my earlier comment.

[skairali]

@Akanksha-kedia Changes looks good.

Please complete the release notes as @steveburnett requested in this case.

Also can you please explain why do we have packages in exclusion list?

[Akanksha-kedia]

@steveburnett i have corrected please review or guide how to correctly do, @skairali can you reframe the question?

[steveburnett]

@steveburnett i have corrected please review or guide how to correctly do, @skairali can you reframe the question?

Your release note entry is not properly formatted, and contains lines it does not need to.

1. Delete the following lines in your release note entry

General Changes

No change
Hive Changes

No change

2. Above the line Security Changes, add a new line containing three `, like this:

```

3. Below the line Upgrade com.google.protobuf to 3.25.1, add a new line containing three `, like this:

```

Your final result should look like the example that I provided in my comment last week.

[skairali]

@Akanksha-kedia I see below

Just need an explanation of why this is required?

[Akanksha-kedia]

@Akanksha-kedia I see below

Just need an explanation of why this is required?

@skairali i was getting this error :
[WARNING] Found duplicate (but equal) classes in [io.grpc:grpc-api:1.60.1, io.grpc:grpc-context:1.35.0]: [WARNING] io.grpc.PersistentHashArrayMappedTrie [WARNING] io.grpc.ThreadLocalContextStorage [WARNING] Found duplicate and different classes in [io.grpc:grpc-api:1.60.1, io.grpc:grpc-context:1.35.0]: [WARNING] io.grpc.Context [WARNING] io.grpc.Deadline [WARNING] Found duplicate classes/resources in compile classpath. [WARNING] Found duplicate (but equal) classes in [io.grpc:grpc-api:1.60.1, io.grpc:grpc-context:1.35.0]: [WARNING] io.grpc.PersistentHashArrayMappedTrie [WARNING] io.grpc.ThreadLocalContextStorage [WARNING] Found duplicate and different classes in [io.grpc:grpc-api:1.60.1, io.grpc:grpc-context:1.35.0]: [WARNING] io.grpc.Context [WARNING] io.grpc.Deadline [WARNING] Found duplicate classes/resources in runtime classpath. [WARNING] Found duplicate (but equal) classes in [io.grpc:grpc-api:1.60.1, io.grpc:grpc-context:1.35.0]: [WARNING] io.grpc.PersistentHashArrayMappedTrie [WARNING] io.grpc.ThreadLocalContextStorage [WARNING] Found duplicate and different classes in [io.grpc:grpc-api:1.60.1, io.grpc:grpc-context:1.35.0]: [WARNING] io.grpc.Context [WARNING] io.grpc.Deadline [WARNING] Found duplicate classes/resources in test classpath.

@steveburnett please review @skairali and help to merge.

[steveburnett]

@steveburnett please review @skairali and help to merge.

Your final result should look like the example that I provided in #21668 (comment).

[Akanksha-kedia]

@steveburnett please review @skairali and help to merge.

Your final result should look like the example that I provided in #21668 (comment).

@steveburnett done

[Akanksha-kedia]

@steveburnett @skairali @tdcmeehan please review.

[Akanksha-kedia]

@steveburnett @skairali @tdcmeehan please review.

please review @skairali

[Akanksha-kedia]

@tdcmeehan please review

[skairali]

@Akanksha-kedia Please squash the commits and let me know

[Akanksha-kedia]

@Akanksha-kedia Please squash the commits and let me know

i have done @skairali

[skairali]

Approved

[steveburnett]

Reviewed at @skairali's request - the release note looks good and I have no other concerns.

[tdcmeehan]

@Akanksha-kedia how have you tested these changs?

[Akanksha-kedia]

Ran ut for testing

…

On Tue, 30 Jan 2024 at 9:07 PM, Timothy Meehan ***@***.***> wrote: @Akanksha-kedia <https://github.com/Akanksha-kedia> how have you tested these changs? — Reply to this email directly, view it on GitHub <#21668 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AVL2AZSMI63XXZH6SMA72KTYREHTBAVCNFSM6AAAAABBUJEKS2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJXGI2TKNBUHE> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[Akanksha-kedia]

@skairali @tdcmeehan review please

[Akanksha-kedia]

@tdcmeehan review please

[tdcmeehan]

@Akanksha-kedia I am not confident in just the UT coverage. Please try to run against actual deployments of BigQuery and Pinot and report your findings.

[elharo]

moot, we're now at 1.64.0